The Internet of Things: Model of Convenience or Invasion of Privacy?

Introduction: A (Virtual) Witness for the Prosecution?

On a cold November morning in 2015, police visited a home in Bentonville, Arkansas. There, in a hot tub, they found the body of Victor Collins floating face up. The home was owned by one James A. Bates. Bates had called 911 to report the death of Collins, his friend. He told the police that he, Collins, and their friends had stayed up late the night before watching football and drinking, and that he awoke to find Collins’ lifeless body.

After the police discovered signs of foul play, the Arkansas chief medical examiner ruled the death a homicide. The police obtained a warrant to search Bates’ house and discovered various “smart home” devices, including a Nest thermostat, a Honeywell alarm system, a wireless weather monitoring system, and an Amazon Echo. They seized the Echo and served a warrant on Amazon for data collected by the device.

The Amazon Echo contains an always-active microphone, which begins recording as soon as it detects a “wake word,” most commonly “Alexa,” the name of the Amazon Echo “personality” that interacts with the user. The Echo’s voice command feature can be used to answer questions about the weather, play music, and purchase items from Amazon.com, among other things. When the Echo detects the wake word, it begins streaming audio to the cloud, including a fraction of a second of audio before the wake word. The recording and transcription of this audio is logged and stored in the Amazon Alexa app. Accordingly, Amazon keeps a log not only of audio recorded by the Echo, but perhaps of key interest to investigators in the Bates homicide, the exact time the audio was recorded.

Amazon has thus far refused to comply with the warrant in the Bates case, claiming that the demand is overly broad and “otherwise inappropriate.”1 The Bates homicide case raises issues in both criminal and civil law regarding the validity and discoverability of data stored in the “Internet of Things.”

The Internet of Things (often abbreviated as “IoT”) describes the internetworking of smart devices with built-in electronics, software, and sensors that enable these objects to collect and exchange data. Smartphones communicate with a user’s refrigerator and automatically generate a shopping list. Computers embedded in cars record speed, direction, and travel patterns. The Nest device automatically modulates thermostat settings, predicting the temperature the user desires at any given time of day based on prior use. Experts estimate that the IoT will apply to almost five billion objects by 2020.2

IoT Data in Criminal Cases

In the criminal law arena, discoverability of IoT data implicates the Fourth Amendment. The Fourth Amendment guarantees the right of security in individuals’ “persons, houses, papers, and effects.” “Effects” have traditionally been understood to encompass personal property.3

Recent Supreme Court jurisprudence provides a clue as to how the highest court in the land may apply the Fourth Amendment the IoT. In Riley v. California, 134 S. Ct. 2473 (2014), a smartphone was recovered incident to an arrest. Police officers reviewed the phone’s data, which revealed incriminating evidence. The issue before the Court was whether the smartphone data was admissible. In its opinion, the Court differentiated between physical objects (the phone itself) and digital content (the data contained in the phone), and held in a rare unanimous opinion that the digital content could not be searched without a warrant.4 In coming to this conclusion, the Court considered factors such as the massive storage capacity of smartphones and the personal information-packed nature of data stored within.5 It characterized a smartphone as akin to a “minicomputer,” which constantly communicates with information stored in the cloud.6 A search of digital content on smartphones would thus extend beyond the scope of “effects” found in the immediate physical proximity of an arrestee, and admissibility of such data is barred by the Fourth Amendment.7

Although the Riley decision has not been specifically applied to the devices such as the Amazon Echo, it stands to reason that under the same analysis, data collected by Amazon and stored on the Alexa app would fall outside the scope of “effects,” and therefore its admission in a criminal trial would be barred by the Fourth Amendment.

Recordation of private communications within the confines of one’s home also implicates statutes that protect an individual’s right to privacy. For example, in California, Penal Code § 632 prohibits intentional eavesdropping through voice amplification or recording without the consent of all parties.8 The terms and conditions for the Amazon Echo evade liability under § 632 by informing users that the Echo streams and retains user information in the cloud, and purchasers of the device accept this when they purchase the device. Furthermore, Amazon gives users the option to delete the data stored on the cloud at any time.9

Discoverability of IoT Data in Quasi-Criminal and Civil Cases

The issue of discoverability of IoT data may arise in a quasi-criminal context in which the civil courts are employed by the government incident to a criminal matter. For example, in the dispute between Apple and the Department of Justice in connection with the 2015 terrorist attack in San Bernardino, Apple refused to comply with not only the DOJ’s request to unlock the iPhone of the terrorist who carried out the attack, but also with a federal court order that it do so pursuant to the All Writs Act, 28 U.S.C. § 1651. Apple argued in that case that it should not be compelled to turn over user data on due process grounds, and Amazon joined other tech companies such as Facebook, Microsoft and Google in filing a joint amicus brief in support of Apple’s position. A decisive clash between Apple and the DOJ was not meant to be, as the DOJ found another way into the phone of the deceased terrorist, essentially hacking into it to gain access to user data.10

In civil cases, aggregators of user data such as Amazon may look to federal law to avoid having to produce user data, at least in cases where the user does not consent to disclosure. Under the Stored Communications Act, Title II of the Electronic Communications Privacy Act, enacted in 198611, a service provider of an “‘electronic communication service’ shall not knowingly divulge ... the contents of a communication while in electronic storage by that service....” 12 Additionally, the statute protects information stored by Remote Computing Services (RCS), and requires that a service provider shall not knowingly divulge “the contents of any communication which is carried or maintained on that service.”13 The Stored Communications Act preempts California and other state discovery laws. However, a service provider or RCS is excused from complying with the provisions of the SCA if it is provided with “lawful consent,” which can be given by the originator of the message, an intended recipient of the message, or, in the case of a RCS, the subscriber to the service.14

The SCA and its application to discovery in civil cases was recently addressed in a 2014 case involving Google. In Negro v. Superior Court, 230 Cal. App. 4th 879 (2014), a California court denied a motion to quash a deposition subpoena to Google in connection with a civil suit filed in Florida. The subpoena sought emails from Google belonging to a party to the underlying suit (Negro), who refused to produce the documents. The California trial court denied the motion to quash and ordered Google to produce the emails, reasoning that the “consent” element under the SCA was satisfied because the court chose to enforce the deposition subpoena:

On the issue of consent, the tentative ruling [by the trial court] stated that [it] had the power to require Negro's consent; that prior efforts by [the subpoenaing party] to obtain the messages directly from Negro had been unsuccessful; and that “[t]herefore, resort to the electronic data bailee would seem to be justified.” It then continued, in language that would be incorporated in the order now under review, “The concept of court ordered consent as an exception to the [SCA] applies here. That order comes from the Florida court's order for appointment of a commissioner to take the testimony and documents from Google as well as from this court which now has denied the petition to quash the subpoena. It matters little whether the consent is the result of the coercion of discovery sanctions or the order of the court over the steadfast objection of the party.”15

Reviewing Negro’s writ of mandate or prohibition, the California Court of Appeal found the trial court’s position untenable under the SCA. The Court of Appeal held that actual consent of a party was required, not constructive or imputed consent.16 Although a party may be compelled by a trial court to provide consent to disclosure of electronic data, that consent may not be implied in law. 17

However, once a court has ordered a party to provide consent, a service provider is no longer protected from producing user data. In Negro, Google argued that emails received blanket protection from state discovery laws under the SCA, but the Court of Appeal found that “nothing in the Act suggests that service providers remain shielded from state discovery laws when the disclosures sought are not forbidden by the Act.”18 Under the SCA, a party to a civil suit can be compelled to provide consent to a service provider to disclose personal information, but the court’s authority to compel consent from a non-party is much more limited. The Court did note that there may be circumstances where an individual does “imply consent” through conduct, but the Court found that there was no evidence in the record that suggested that Negro “sent or received emails with the foreknowledge that they might not remain private.”19

There have not been any civil cases in California in which the SCA was applied to IoT data such as Amazon Echo recordings. However, under the precedent of Negro v. Superior Court, a court would likely hold that Amazon would be required to produce stored data, assuming that the user either consented to or was ordered to consent to disclosure.

Postscript

Returning to the investigation of the Collins murder, it may not matter whether Amazon produces the recordings obtained from Bates’ home, as another, less high-tech device may provide the smoking gun that the Arkansas prosecutors are looking for. One piece of equipment in Bates’s heavily IoT-connected home was a smart water meter that tracked water usage. The meter shows that between 1 and 3 a.m. on the night in question, 140 gallons of water were used at the home, which prosecutors contend is a much larger amount of water compared to the prior recorded usage, suggesting that Bates used the water to cover up traces of the crime. The reliability of the water meter data is in contention, and will be addressed at the next court hearing, set to take place in March.